From 4d67a36c0a07ef8e07b8760b0e883bd42c0177ec Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Thu, 21 Jan 2021 11:04:05 +0100

Subject: [PATCH] Add variable selector and notes for R29

---

 controls/anssi.yml | 14 +++++++++++++-

 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/controls/anssi.yml b/controls/anssi.yml

index dec9d68c99..3303d70295 100644

--- a/controls/anssi.yml

+++ b/controls/anssi.yml

@@ -521,10 +521,22 @@ controls:

     description: >-

       Remote user sessions (shell access, graphical clients) must be closed

       after a certain period of inactivity.

+    notes: >-

+      There is no specific capability to check remote user inactivity, but some shells allow the

+      session inactivity time out to be configured via TMOUT variable.

+      In OpenSSH < 8.2 the inactivity of the user is implied from the network inactivity.

+      The server is configured to disconnect sessions if no data has been received within the idle timeout,

+      regardless of liveness status (ClientAliveCountMax is 0 and ClientAliveInterval is > 0).

+      In OpenSSH >= 8.2 there is no way to disconnect sessions based on client liveness.

+      The semantics of "ClientAliveCountMax 0" has changed from "disconnect on first timeout" to

+      "don't disconnect network inactive sessions". The server either probes for the client liveness

+      or keeps inactive sessions connected.

+    automated: yes

     rules:

     - accounts_tmout

+    - var_accounts_tmout=10_min

     - sshd_set_idle_timeout

-    - sshd_idle_timeout_value=5_minutes

+    - sshd_idle_timeout_value=10_minutes

     - sshd_set_keepalive

   - id: R30